From: Tim Otten <totten@civicrm.org>
Date: Wed, 17 Dec 2014 06:25:58 +0000 (-0800)
Subject: CRM-15713 - CRM_Case_BAO_Case::accessCase - Split off from getCases().
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=546abeb16195ee2f1e17b2dc91e45698a60bf390;p=civicrm-core.git

CRM-15713 - CRM_Case_BAO_Case::accessCase - Split off from getCases().

This allows us to explicit control over more parameters (eg case_status_id)
and to improve performance (by focusing on the specific $caseId).
---

diff --git a/CRM/Case/BAO/Case.php b/CRM/Case/BAO/Case.php
index a6a6a538b2..98a566e3a8 100644
--- a/CRM/Case/BAO/Case.php
+++ b/CRM/Case/BAO/Case.php
@@ -3061,10 +3061,11 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
    * Verify user has permission to access a case
    *
    * @param int $caseId
+   * @param bool $denyClosed set TRUE if one wants closed cases to be treated as inaccessible
    *
    * @return bool
    */
-  static function accessCase($caseId) {
+  static function accessCase($caseId, $denyClosed = TRUE) {
     if (!$caseId || !self::enabled()) {
       return FALSE;
     }
@@ -3079,9 +3080,29 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
       return FALSE;
     }
 
-    $filterCases = CRM_Case_BAO_Case::getCases(FALSE);
+    $session = CRM_Core_Session::singleton();
+    $userID = CRM_Utils_Type::validate($session->get('userID'), 'Positive');
+    $caseId = CRM_Utils_Type::validate($caseId, 'Positive');
+
+    $condition = " AND civicrm_case.is_deleted = 0 ";
+    $condition .= " AND case_relationship.contact_id_b = {$userID} ";
+    $condition .= " AND civicrm_case.id = {$caseId}";
+
+    if ($denyClosed) {
+      $closedId = CRM_Core_OptionGroup::getValue('case_status', 'Closed', 'name');
+      $condition .= " AND civicrm_case.status_id != $closedId";
+    }
+
+    // We don't actually care about activities in the case, but the underlying
+    // query is verbose, and this allows us to share the basic query with
+    // getCases(). $type=='any' means that activities will be left-joined.
+    $query = self::getCaseActivityQuery('any', $userID, $condition);
+    $queryParams = array();
+    $dao = CRM_Core_DAO::executeQuery($query,
+      $queryParams
+    );
 
-    return isset($filterCases[$caseId]);
+    return (bool) $dao->fetch();
   }
 
   /**
diff --git a/CRM/Case/Page/AJAX.php b/CRM/Case/Page/AJAX.php
index f51db8c8c2..273fd97548 100644
--- a/CRM/Case/Page/AJAX.php
+++ b/CRM/Case/Page/AJAX.php
@@ -126,7 +126,7 @@ class CRM_Case_Page_AJAX {
   function caseDetails() {
     $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Positive');
 
-    if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+    if (!CRM_Case_BAO_Case::accessCase($caseId, FALSE)) {
       CRM_Utils_System::permissionDenied();
     }